31/07/2014

By Ian Lowe, Senior Product Marketing Manager, Identity Assurance, HID Global


Today’s employees are increasingly distributed and mobile, requiring many businesses to take a new look at how to establish trust in a user’s identity and control their access accordingly. With reports of data breach incidents resulting from negligent or malicious employees, or due to malware-compromised credentials, on the rise, businesses are strongly advised to re-evaluate their approach to access control.

We recently carried out a survey into enterprise end users’ perceptions about access control and the importance of industry best practices, and learned that a mixture of complacency and budget-related concerns are continuing to stall essential security upgrades. According to the findings, more than half of the 600 respondents have not upgraded in the last year, leaving their operations open to unnecessary risk. With the biggest barrier to implementing security best-practice remaining hinged on monetary concerns, it is clear that management is not seeing value in the investment. Yet, the estimated fallout of a data breach, as a result of reputational damage, lost sales or legal fines, according to Ponemon Institute can be some $5.4 million.

To ensure full operational security, it is critical for businesses to reassess and review authentication methods; looking beyond simple passwords to consider advanced solutions that provide secure access to data, door and cloud applications. And, this begins by refining the way in which ‘identity’ is created and addressing how access is managed across both physical and logical environments. Historically, the focus for businesses has been on creating a strong perimeter to secure access to their physical and IT resources. Typically, legacy access control approaches dictated that a user had to present an ID badge to gain entry into a building, and then, once inside, using static passwords to authenticate to IT resources. Given the nature of today’s Advanced Persistent Threats (APTs) and all the internal risks associated with Bring Your Own Device (BYOD) adoption and popularity of cloud-based applications, however, these methods of securing access are insufficient.

Looking to converged solutions, where multiple access control use cases and identities can be supported on one card or smartphone provides businesses with a single access control solution. In such an environment, any piece of access control data can be supported on a smartphone or card, including data for physical access control, cashless payments, PC logon and many other applications. This convergence of use cases eliminates the need for users to remember and carry separate cards or other devices for opening doors, logging onto computers, and accessing cloud-based applications. Truly converged access control is grounded on the philosophy of one security policy, one credential and one audit log. In some businesses, where credential management is fully converged, a single corporate policy is in place that defines acceptable access and use of resources, and there is a single master user repository and logging tool for simplified reporting and auditing.

Aside from the obvious benefits of convenience, there are significant advantages to giving users a single solution for securing everything from the cloud to data to doors. Not only does it ensure strong, consistent multi-factor authentication throughout the IT infrastructure on key systems and applications, rather than just at the perimeter, it can greatly reduce ongoing operational costs by centralising identity and access management processes and consolidating tasks. From a cost perspective, this approach delivers longevity of investment, simplifying the process of adding of future applications that further improve security – such as fingerprint, iris, hand geometry or other biometric templates that can be securely stored on the card or phone for additional factors of authentication as security needs dictate.

If businesses continue to delay shoring up its defences against today’s threats to traditional cards and readers, as our research indicates it might, it will become difficult for enterprise infrastructures to move easily to more advanced access control systems – one where digital credentials carried on smart cards or smartphones in BYOD deployment environments ensure converged physical and logical access control is a seamless, yet secure, experience. Proactively making a straightforward change like this today will ensure that a business’ access control solution can adapt to future threats and take advantage of opportunities and applications beyond access control.